Reduction calculations

ABSTRACT

An Elliptic Curve Cryptography reduction technique utilises a prime number having a first section of Most Significant Word “1” states, with N=n m−1 +N 1 B+n 0 .

The present invention relates to a method of performing a reduction operation and to apparatus for performing a reduction operation.

Elliptic Curve Cryptography (ECC) involves the use of calculations on an elliptic curve relationship over GF(p) and requires the multiplication of long integers which are carried out repeatedly during the implementation of, for example, public key algorithms in cryptographic processors.

Typically, the multiplication operations must be carried out many hundreds of times to complete an encryption or decryption operation, and so it is important that the cryptographic devices that perform these operations execute the long multiplications quickly using a high speed multiplier.

Increasingly, such cryptographic algorithms are used in electronic devices for example smart cards, and in these applications processing capability and power consumption is severely limited.

One conventional calculation method is the Quisquater system which operates on the Most Significant Word using the operation R′=R+(−N′*MSW),

where N′ is a special multiple of N. In fact, −N′ is used in its 2's complement notation.

The reduction operation is inefficient, and the result may be too large, necessitating the addition of (−N′) to R′.

Another conventional calculation method is the Mongomery system which operates on the Least Significant Word using the operation R′=R+N*Q

where Q=LSW*M mod 2 n.

Again the reduction operation is inefficient and might be one bit too large requiring restoration by subtraction of N.

It is therefore an object of the present invention to provide a more efficient reduction operation.

It is also an object of the present invention to provide a reduction operation with a lower number of multiplication operations.

It is also an object of the present invention to provide a reduction operation which provides fewer overflows in the calculation operations.

It is also an object of the present invention to provide a reduction operation in which the reduction operation is completed faster.

According to one aspect, the present invention provides a method of performing a reduction operation in a cryptographic calculation, the method comprising selecting a modulus having a first section with a plurality of “1” Most Significant Word states and a second section which comprises a plurality of “1” or “0” states whereby the number formed of the two sections is a modulus or a multiple of a modulus, and operating a reduction operation on the modulus/multiple.

By this selection of a particular form of a modulus/multiple for use in the calculation, the reduction operation involves fewer multiplication operations.

Thus a significant benefit provided by the present invention is that the time taken to complete the entire calculating operation is reduced.

Moreover, the degree of security afforded by the method of the present invention is maintained as compared to conventional cryptographic methods.

Preferably the method comprises monitoring the number of leading “1” to determine if the number is less than (k−2). Advantageously, when the number of leading “1”s is less than (k−2), the next calculation is initiated.

Thus a further advantage of the present invention is that a number of multiplication operations can be processed simultaneously, thereby reducing the time taken to complete calculating operations.

In one embodiment of the present invention for 192-bit ECC and a word size for 64-bit, the modulus comprises a first section of 138 bits and a second section of 54 bits.

In another embodiment of the present invention for 128-bit ECC and a word size of 64-bit, the modulus comprises a first section of 74 bits and a second section of 54 bits.

In another embodiment of the present invention for 256-bit ECC and a word size of 64-bit, the modulus comprises a first section of 202 bits and second section of 54 bits.

The invention can also work with a number of moduli, which have less significant bits than a multiple of the word size. In that case, the system works with a multiple of the modulus, which has the required number of leading 1's. Only at the very last end, the result has to be reduced to the original (smaller) modulus.

In one preferred arrangement, the method of the present invention utilises modulus, consisting of m words with all the words except the Least Significant Word (LSW) consisting of “1”s and the LSW has, for example, ten leading “1”s can be any number but bearing in mind the larger it is, then the less often an additional reduction is required.

According to another aspect, the present invention provides a computer program product directly loadable into the internal memory of a digital computer, comprising software code portions for performing the method of the present invention when said product is run on a computer.

According to another aspect, the present invention provides a computer program directly loadable into the internal memory of a digital computer, comprising software code portions for performing the method of the present invention when said program is run on a computer.

According to another aspect, the present invention provides a carrier, which may comprise electronic signals, for a computer program embodying the present invention.

According to another aspect, the present invention provides electronic distribution of a computer program product, or a computer program, or a carrier of the present invention.

According to another aspect, the present invention provides apparatus for performing a reduction operation in a cryptographic calculation, the apparatus comprising means to select a modulus or a multiple of a modulus having a first section with a plurality of “1” states and a second section having a plurality of “1” or “0” states whereby the number formed of the two sections is a modulus or a multiple of a modulus.

In order that the present invention may more readily be understood, a description is now given, by way of example only, reference being made to the accompanying drawings, in which:

FIG. 1 is an application of the present invention in a smart card;

FIG. 2 is a schematic drawing of a reduction operation embodying the present invention for 192-bit ECC and 64-bit words;

FIG. 3 is a schematic drawing of another reduction operation of the present invention for 128-bit ECC and 64-bit words;

FIG. 4 is a schematic drawing of another reduction operation of the present invention for 256-bit ECC and 64-bit words;

FIG. 5 is a hardware implementation of the present invention.

FIG. 1 shows a block diagram of a hardware implementation of the present invention incorporating a smart card 50 with the following components:

-   Microcontroller 51 for general control to communicate with the     outside world via the interface. It sets pointers for data in     RAM/ROM and starts the coprocessor. -   Interface to the outside world, for contact with smart cards e.g.     according to -   A Read Only Memory (ROM) 52 for the program of the microcontroller. -   A Programmable Read Only Memory (Flash or EEPROM) 53 for the     non-volatile storage of data or programs. -   RAM 54 for storage of volatile data, e.g for storage of intermediate     results during calculations. -   Coprocessor 55 dedicated to perform special high-speed tasks for ECC     or RSA calculations. When a task is ready, control is returned to     the microcontroller.

In a variant, the present invention is implemented in software with a microprocessor, ALU to provide add, subtract, shift operations with programming of the controller to provide control logic, and degree detection by shift registers.

There is shown in FIG. 2 a reduction operation of the present invention which is performed with a modulus comprising in total 192 bit words and having a first section which has all “1” states being two 64-bit words and 10 bits. The second section of the modulus is 54 bits and can be any number provided that the total number is a prime. The bigger the number, the less often that an additional reduction is required.

In general, N can be written as: N=n _(m−1) B ^(m−1) + . . . n ₁ B+n ₀ (B=2⁶⁴)

The special requirements for the selection of N are:

-   -   n1 . . . n_(m−1) are fixed and contain only 1's (n₁= . . .         n_(m−1)=B−1).     -   n₀ is general except for k MSBs which are also 1, leaving 64-k         bits free to choose.

Then N is written as

N=B ^(m) −B+n ₀ =B ^(m) −n ₀′ with n ₀ ′=B−n ₀

Let R be the result, which has to be reduced by 1 word. R=r _(m) B ^(m) +r _(m−1) B ^(n−1) + . . . r ₁ B+r ₀

Reduce the result by subtraction of the product r_(m)N from R as follows:

R′=R−r _(m) ·N=r _(m) B ^(m) +r _(m−1) B ^(m−1) + . . . r ₁ B+r ₀ −r _(m)(B ^(m) −B+n ₀)=r _(m−1) B ^(m−1) + . . . +r ₂ B ² +r ₁ B+r ₀ +r _(m)·(B−n ₀)=(R−r _(m) B ^(m))+r _(m) −n ₀′

This means that, for the reduction, omit the word r_(m) and add to the Least Significant Word r₀ the product r_(m)·n₀′. The reduction implies only one multiplication instead of the normal m multiplications.

n₀′ is always positive, since n₀<B. The result is also always positive.

Instead of n₀, store and use n₀′.

In some cases, the result is 1 bit too large. Then it is necessary to subtract N again. R′=(B ^(m) +r _(m−1) B ^(m−1) + . . . +r ₁ B+r ₀)−(B ^(m) −n ₀′)=r_(m−1) B ^(m−1) + . . . +r ₁ B+(r ₀ +n ₀′)=(R−B ^(m))+n₀′.

So, we have only to add n_(0′) and discard the overflow bit B^(m).

For every multiplication by one word, do such a reduction. Alternatively, do first all multiplications and then the reductions. The last method is described here. The description below is for 192-bit ECC and a 64-bit word size (m=3). N=B ³ −B+n ₀ =B ³ −n ₀′; 2⁹ ≦n ₀ <B(B=2⁶⁴).

R is the result of the multiplication of three 64-bit words by also three 64-bit words, which results in 6 words (r₀ . . . r₅).

Then the reduction is done as follows:

-   -   Multiplication of n₀′ by r₄ and adding r₁(being step S1);     -   Multiplication of n₀′ by r₅ and adding r₂, and the carry c of         the previous multiplication. Moreover r₃ is added to the upper         part of the multiplication. The result consists of the lower         half again called r₂ and the upper half q (step S2);     -   Multiplication of q by n₀′ and adding r₀ and adding the new r₁         to the upper part (step S3);     -   When the last multiplication gives an overflow, the overflow is         added to r₂ e.g by the multiplication of n₀′ by 0 (to give 0),         the addition of r₁ (gives r₁ as lower half and the addition of         r₂ to the upper part, i.e. the overflow bit) (step S4);     -   When this gives again an overflow (i.e. only when r₂ consists of         all-ones (chance 2⁻⁶⁴)), n₀′ is added (step S5).

This can be done by the multiplication of n₀′ by 1, and adding r₀ to the lower half of r₁ to the upper half.

The carry of the second multiplication (q) is used as multiplicand in the next multiplication, and can be enlarged by 1 bit.

When the input r₁ to the multiplication of n₀′q does not have 8 leading ones (the probability being less than 1/256), there will be no overflow, since n₀′q has at least 8 leading zeros because of n₀′. In that case, the program does not wait for the overflow to proceed.

Handling of overflows involves time, which has to be minimised wherever possible. Accordingly, n₀ has a number of leading ones (k), so n₀′ has at least k−1 leading zeros.

Thus, the product n₀′c₂ has at least k−2 leading zeros, since q might be enlarged by 1 bit.

In order to produce an overflow, the addition of B.c₀+r₀ has to have at least k−2 leading ones and a carry c from the lower bits.

The probability that this will happen is less than 2^(−(k−2)). Therefore by making k high, the likelihood of an overflow is very small.

The probability of the second overflow is extremely small (2⁻⁶⁴), since r₂ has to consist completely of ones.

In practice, a pipelined multiplier is used to provide efficient calculation operations, so a number of multiplications are being processed at the same time. It takes a few clock cycles to get the result from the multiplier. When it is necessary to wait to determine whether an overflow occurs, the next multiplications cannot begin until the overflow has been calculated. Thus r₁ is monitored and if it does not have k−2 leading “1”s there will be no overflow a few cycles later so the next multiplication can be started.

There is shown in FIG. 3 a different embodiment for 128-bit ECC and a word size of 64-bit incorporating a modulus N having 128 bits.

In this embodiment, N=B ² −B+n ₀ =B ² −n ₀′; 2⁹ ≦n ₀ <B.

The operands have to be in normal space.

Then the reduction is done as follows:

-   -   Multiplication of n₀′ by r₃ and adding r₁. Also r₂ is added to         the upper part of the multiplication (step S10); The result         consists of the lower half again called r₁ and the upper half         called q.     -   Multiplication of q by n₀′ and adding r₀ and adding the new r₁         to the upper part (step S11);     -   When the last multiplication gives an overflow then we add n₀′         (step S12), e.g. by the multiplication/addition n₀′·1+B·r₁+r₀.

There is shown in FIG. 4 a different embodiment for 256-bit ECC and a word size of 64-bit incorporating a prime number having 256 bits.

In this embodiment, N=B ⁴ −B+n ₀ +B ⁴ −n ₀′; 2⁹ <n ₀ <B.

The operands have to be in normal space.

Then the reduction is done as follows:

-   -   Multiplication of n₀′ by r₅ and adding r₁ (being step S20) with         the new result called r₁;     -   Multiplication of n₀′ by r₆ and adding r₂ and the carry c of the         previous multiplication (step S21) with the new result called         r₂.     -   Multiplication of n₀′ by r₇ and adding r₃ and the carry c of the         previous multiplication.         -   Moreover r₄ is added to the upper part of the multiplication             (step S22). The step consists of the lower half again called             r₃ and the upper half q.     -   Multiplication of q by n₀′ and adding r₀ and adding the new r₁         to the upper part (step S23);     -   When the last multiplication gives an overflow, the overflow is         added to r₂ (step S24);     -   When this again gives an overflow, it is added to r₃ (step S25);     -   When this gives again an overflow, n₀′ is added (step S26).

The carry of the third multiplication (q) is used as multiplicand and in the next multiplication, and can be enlarged by 1 bit.

FIG. 5 is a block diagram of a hardware implementation of the present invention having the following components:

-   -   X-, Y-, U- and Z-registers 10 to 13 for storing the input         operands X, Y, U and R respectively;     -   C- and R-register 14, 15 for storing outputs C and R;     -   RAM 16 for storing the intermediate results;     -   Multiplier 17 which performs the operation B.C+R=X*Y+B*U+Z+c;     -   State machine 18 which controls the operations and the transport         between RAM and registers or between registers.

Multiplier 17 calculates the product of X and Y and adds, if required, the previous carry c, which is internally stored. The result is split into two equal parts, Z being added to the lower half and U to the upper half.

The output of C-reg 14 can also be directly used as y-input (for example for q in FIG. 2).

In another form the present invention is implemented by software running on a microprocessor with appropriate ALU's to provide add, subtract and shift operations, and shift registers. 

1. A method of performing a reduction operation in a cryptographic calculation, the method comprising selecting a modulus having a first section with a plurality of “1” Most significant Word states and a second section which comprises a, plurality of “1” or “0” states whereby the number formed of the two sections is a modulus or a multiple of a modulus, and operating a reduction operation on the modulus/multiple.
 2. A method according to claim 1 comprising effecting a plurality of multiplication operations.
 3. A method according to claim 2 comprising effecting a plurality of multiplication operations followed by effecting a reduction operation.
 4. A method according to claim 3 comprising repeating the combined multiplication operations and reduction operation.
 5. A method according to claim 1 comprising using a multiple of the modulus/multiple.
 6. A method according to claim 1 wherein, when the last multiplication gives an overflow, the overflow is added to a part of the selected number.
 7. A method according to claim 6 wherein, when the overflow addition step produces an overflow, then n₀′ is added to the overflow.
 8. A method according to claim 1, wherein the carry c between two adjacent multiplications is effected as the addend in the next multiplication.
 9. A method according to claim 1 comprising monitoring the number of leading “1”s to determine if the number is less than (k−2).
 10. A method according to claim 6 comprising initiating the next calculation when the number of leading “1”s is less than (k−2).
 11. A method according to claim 1 the method comprising operating 192-bit ECC and a word size of 64-bit, the modulus comprises a first section of 138 bits and a second section of 54 bits.
 12. A method according to claim 1 the method comprises operating 128-bit ECC and a word size of 64-bit, the modulus comprises a first section of 74 bits and a second section of 54 bits.
 13. A method according to claim 1 the method comprising operating 256-bit ECG and a word size of 54-bit, the modulus comprises a first section of 202 bits and a second section of 54 bits.
 14. A computer program product directly loadable into the internal memory of a digital computer, comprising software code portions for performing the method of claim 1 when said product is run on a computer.
 15. A computer program directly load able into the internal memory of a digital computer, comprising software code portions for performing the method of claim 1 when said program is run on a computer.
 16. A carrier, which may comprise electronic signals, for a computer program of claim
 15. 17. Electronic distribution of a computer program product of claim 14 or a computer program of claim 15 or a carrier of claim
 16. 18. Apparatus for performing a reduction operation in a cryptographic calculation, the apparatus comprising means to select a modulus or a multiple of a modulus having a first section with a plurality of “1” states and a second section having a plurality of “1” or “0” states whereby the number formed of the two sections is a modulus or a multiple of a modulus, and means for operating a reduction operation on the modulus/multiple.
 19. Apparatus according to claim 18 comprising means to effect a plurality of multiplication operations.
 20. Apparatus according to claim 19 comprising means to effect a plurality of multiplication operations followed by a reduction operation.
 21. Apparatus according to claim 20 comprising means to repeat the combined multiplication operations and reduction operation.
 22. Apparatus according to claim 18 comprising means (10-17) to use a multiple of the modulus/multiple.
 23. Apparatus according to claim 18 comprising means, when the last multiplication gives an overflow, to add the overflow to a part of the selected number.
 24. Apparatus according to claim 23 comprising means, when the overflow addition step produces an overflow, to add n₀′ to the overflow.
 25. Apparatus according to claim 18 comprising means to effect the carry c between two adjacent multiplications as the addend in the next multiplication.
 26. Apparatus according to claim 18 comprising means to monitor the number of leading “1”s to determine if the number is less than (k−2).
 27. Apparatus according to claim 18 comprising means to initiate the next calculation when the number of leading “1”s is less than (K−2).
 28. Apparatus according to claim 18 with means for 192-bit EEC and a word size of 64-bit, the modulus comprises a first section of 74 bits and a second section of 54 bits.
 29. Apparatus according to claim 18 with means for 128-bit ECC and a word size of 64-bit, the modulus comprises a first section of 74 bits and a second section of 54 bits.
 30. Apparatus according to claim 18 with means, for 256-bit ECC and 81 word size of 64-bit, the modulus comprises 81 first section of 202 bits and 81 second section of 54 bits.
 31. A method of performing a reduction operation substantially as hereinbefore described with reference to, and/or as illustrated in, anyone or more of FIGS. 1 to 5 of the accompanying drawings.
 32. Apparatus for performing a reduction operation in a cryptographic calculation, the apparatus substantially as hereinbefore described with reference to, and/or as illustrated in, anyone or more of FIGS. 1 to 5 of the accompanying drawings.
 33. A method of performing a reduction operation in a cryptographic calculation, the method substantially as hereinbefore described with reference to, and/or as illustrated in, anyone or more of FIGS. 1 to 5 of the accompanying drawings. 